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Introduction 

•  A  method  and  metrics  for  Situational  Awareness 

•  SA  ->  Monitoring  trends  and  changes  in  traffic 

•  Analysis  over  time  ->  Time  series  data  analysis 

•  Metrics  related  to  time  series  are  key  for  SA 

•  Variations  over  time  ->  Metrics  for  tracking 

•  Time  windows  and  time  scales  are  important  to 
understand  and  interpret  the  metrics 
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Background 


•  Traffic  patterns  and  variations  important 

•  Engineering  and  performance 

•  SA  for  security  -  monitoring 

•  Important  for  anomaly  detection 

•  Baselines  for  normalcy 

•  Thresholds  |  Inherent  variations 

•  Alerts  -  Can  be  based  on  many  metrics 

•  Metrics  based  on  variations  in  traffic 
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Method  of  Analysis 


•  Analysis  of  flow  data  to  investigate  this  issue 

•  Construct  an  initial  time  series  |  W  and  b 

•  Establish  a  time  slot  t  (  b  <  t  <  W) 

•  Estimate  the  standard  deviations  within  each  t 

•  Estimate  the  std.  dev.  of  these  std.  dev.s  [H] 

•  Compare  this  across  varying  bin  sizes 

•  Vary  time  window  (W) 

•  Compare  t-s  across  varying  W  |same  bin  size 

•  Metric  can  be  tracked  over  time  (successive  Ws) 
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Variance  of  the  Variance 


Tl 

t2 

|j1  |j2 


Variance  over  time  (traffic  load) 
Burstiness  —  Variance  of  the  means 

What  about  the  variance  of  the  variance? 

=>  Heteroscedasticity 
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Estimating  Heteroscedasticity  [H] 


Tl 

t2 

pi 

M2 

CTl 

q2 

<j(cj  1,  a 2,  ...)  =  H 


Important  to  monitor  H  as  well. 


'CERT 


Software  Engineering  Institute 


Carnegie  Mellon 


8 


Data  and  Design 


•  Analysis  reported  here  was  done  with 
public  domain  data 
•Two  time  windows  (8  hours  each) 

•Two  time  scales  (b=4,8  minutes) 

•Analysis  was  done  with  SiLK  and  R 
•Can  be  done  with  any  flow  data  and  scripts 
•One  set  of  comparisons  shown 
•A  particular  case  of  heteroscedasticity 
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Results 


Table:  Heteroscedasticity  Estimates 

(Overall  standard  deviation  in  parentheses) 

(W1  -  W2  -  8  hours;  bl  =  4  min,  b2  =  8  min) 


W1 

13.57  MB 

33.37  MB 

(26.35  MB) 

(50.10  MB) 

W2 

4.47  MB 

7.99  MB 

(10.66  MB) 

(19.64  MB) 
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Conclusions 


•  An  attack  or  intrusion  usually  implies  some  shift  in 
traffic  patterns 

•  One  indicator  of  such  shifts  could  be  a  change  in 
the  levels  of  heteroscedasticity 

•  This  methodology  has  the  potential  to  detect  such 
attacks  at  an  early  stage 

•  Alert  when  H  exceeds  a  threshold 
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Benefits 


•  This  approach  could  detect  attacks  and  intrusions  that  do 
not  perturb  the  network  traffic  in  other  discernible  ways 

•  Thus  other  techniques  may  not  identify  them  early  enough 

•  Early  detection  is  important  for  effective  mitigation 


•  This  method  also  enhances  SA  by  introducing  a  new 
metric  to  track  traffic  patterns 
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Future  Work 


Implications  of  changes  H  w.  r.  t.  time  scales? 
Repeat  the  analysis:  wide  W  &  different  networks 


Predictions  from  attack/intrusion  models  <H> 
Test  behavior  of  H  with  data  with  known  attacks 
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Questions/comments? 
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